Guide to recovery from intrusion systems (2)

Generally, the log format of the sniffer program is as follows:
-- TCP/IP LOG -- TM: Tue Nov 15 15:12:29 --
PATH: not_at_risk.domain.com (1567) => at_risk.domain.com (telnet)
Run the following command to obtain the list of hosts under threat from the log file of the sniffer program:
% Grep PATH: $ sniffer_log_file | awk {print $4} |
Awk-F ({print $1} | sort-u
You may need to adjust the command according to the actual situation. Some sniffer programs Encrypt log files, increasing the difficulty of checking.
You should know that not only the host that appears in the log file of the sniffer program is threatened by attackers, but other hosts may also be threatened.
We recommend that you participate in the renewal.
6. Check other systems on the network
In addition to the systems that are known to be intruded, You should also check all the systems on the network. It mainly checks and intruded hosts to share network services (such as NIX and NFS) or through some mechanisms (such as hosts. equiv ,. rhosts files, or kerberos servers) and systems that are intruded into the host's mutual trust.
We recommend that you use the CERT intrusion detection list for this check.
Http://www.cert.org/tech_tips/intruder_detection_checklist.html
Http://www.cert.org/tech_tips/win_intruder_detection_checklist.html
7. Check the remote site involved or under threat
When reviewing log files, output files of intrusion programs, and new files modified since the system was intruded, pay attention to which sites may be connected to the compromised system. Based on experience, the websites connected to the compromised hosts are usually intruded. Therefore, it is necessary to identify other systems that may be infiltrated as soon as possible and notify its management personnel.
D. Notify related CSIRT and other websites involved
1. Accident Report
Intruders usually use compromised accounts or hosts to launch attacks against other sites. If you find intrusion activities against other sites, we recommend that you immediately contact these sites. Tell them the signs of intrusion you have discovered. We recommend that you check whether your system has been intruded and how to protect it. Try to tell them all the details, including the date/time stamp, time zone, and the information they need.
You can also submit accident reports to CERT (Computer Emergency Response Group) from where they provide recovery advice.
The websites in mainland China are:
Http://www.cert.org.cn
2. Contact the CERT Adjustment Center
You can also fill out an accident report form and use e-mail to send http://www.cert.org from there for more help. CERT analyzes attack trends based on the accident report form and summarizes the analysis results to their security suggestions and Security summary to prevent the spread of attacks. You can obtain an accident report form from the following URL:
Http://www.cert.org/ftp/incident_reporting_form
3. Obtain the contact information of the affected site
If you want to obtain contact information for top-level domain names (. com,. edu,. net,. org, etc.), we recommend that you use the whois database of interNIC.
Http://rs.internic.net/whois.html
If you want to obtain the exact information of the reporters, use the reporters directory of interNIC:
Http://rs.internic.net/origin.html
For more information, see:
Http://www.apnic.net/apnic-bin/whois.pl
Http://www.aunic.net/cgi-bin/whois.aunic
If you need contact information from other accident Response groups, please refer to the contact list of FIRST (Forum of Incident Response and Security Teams:
Http://www.first.org/team-info/
For other contact information, see:
Http://www.cert.org/tech_tips/finding_site_contacts.html
We recommend that you do not send a mail to the root or postmaster When you contact the host involved in the intrusion. Once these hosts have been intruded, intruders may gain the permissions of Super Users and may read or intercept
E-mail.
E. Restore the system
1. Install a clean operating system version
Remember that if the host is intruded, everything in the system may have been modified by attackers, including kernel, binary executable files, data files, running processes, and memory. Generally, you need to reinstall the operating system on the release media and install all the security patches before re-connecting to the network. Only in this way will the system be unaffected by backdoors and attackers. It is not enough to identify and fix the security defects exploited by attackers.
We recommend that you use a clean backup program to back up the entire system. Then reinstall the system.
2. Cancel unnecessary services
Only configure the services to be provided by the system and cancel unnecessary services. Check and make sure that the configuration file is not vulnerable and that the service is reliable. Generally, the most conservative policy is to cancel all services and only start the services you need.
3. Install all patches provided by the vendor
We strongly recommend that you install all the security patches. This is the most important step for your system to defend against external attacks and avoid further intrusion.
You should pay attention to all updates and patches for your system.
4. Check CERT's security suggestions, security summary, and supplier's security tips.
We encourage you to check CERT's previous security suggestions and summaries, as well as the vendor's security tips. You must install all the security patches.
CERT security recommendations:
Http://www.cert.org/advisories/
CERT Security summary:
Http://www.cert.org/advisories/
Supplier security tips:
Ftp://ftp.cert.org/pub/cert_bulletins/
5. Exercise caution when using backup data
When recovering data from a backup, make sure that the backup host is not intruded. Remember that the recovery process may re-pose security defects and be exploited by intruders. If you only restore the user's home directory and data file, remember that the file may contain a Trojan horse. Pay attention to the. rhost file in the user's initial directory.
6. Change the password
We recommend that you change the password of all accounts in the system after you fix the security vulnerability or solve the configuration problem. Be sure that the passwords of all accounts are not easily guessed. You may need to use tools provided by the supplier or a third party to enhance password security.
CERT published a choosing good passwords article to help you select a good password.
F. Enhance system and network security
1. Check the system security according to the cert unix/NT Configuration Guide.
The cert unix/NT Configuration Guide helps you check configuration problems that are easily exploited by intruders in the system.
Http://www.cert.org/tech_tips/unix_configuration_guidelines.html
Http://www.cert.org/tech_tips/win_configuration_guidelines.html
You can refer to the following articles to determine the security tools to use.
Http://www.cert.org/tech_tips/security_tools.html
2. install security tools
Before connecting the system to the network, you must install all the selected security tools. At the same time, it is best to use tools such as Tripwire and aide to perform MD5 verification on system files and put the verification code in a safe place for future checks on the system.
3. Open the log
Start the logging/auditing/accounting program and set them to an accurate level. For example, the sendmail log should be at level 9 or higher. Back up your log files frequently, or write logs to another machine, a file system that can only be added, or a secure log host.
4. configure the firewall to defend the network
There are many articles on firewall configuration, so I will not list them here. You can also refer:
Http://www.cert.org/tech_tips/packet_filtering.html
G. Reconnect to Internet all
After completing the preceding steps, you can connect the system to the Internet.
H. Upgrade your security policy
The CERT Adjustment Center recommends that each site have its own computer security policy. Each organization has its own special cultural and security requirements. Therefore, you need to specify security policies based on your own situation. For more information, see RFC2196 Website Security Manual:
Ftp://ftp.isi.edu/in-notes/rfc2196.txt
1. Lessons learned
Summarize the lessons learned from the record, which helps you review your security policies.
2. Calculate the accident cost
Many organizations can improve their security policies only after paying a great deal. Calculating the cost of accidents helps your Organization recognize the importance of security. In addition, managers can realize how important security is.
3. Improve your security policy
The last step is to modify your security policy. All the Members in the Organization must be aware of the changes they have made and the impact on them.